A less well known feature of ASL is that it can detect attempts to brute force web application authentication. In concert with the HIDS, it will track these failures and much like the brute force rules after so many attempts it will shun the IP.

We write rules for web app brute force protection based on feedback, and we'd like feedback about what applications you'd like us to protect. So far we have rules for these web apps:

PhpBBvBulletinWordPressJoomlaWikimediaSugarCRM

We know this isn't a complete list, so please let us know what apps you'd like us to protect.

So let us know!

To develop the rules we will need a working copy of the web application and the ability to download it and run it on our test servers, so please make sure you can provide that before you ask!

PmWiki: doesnt actually return anything if authentication fails, it returns the same page it uses when you first access a protected page. So I'm not sure brute force can be detected easily with pmwiki. If you have a setup you want us to look at, please provide a URL with an authentication page.

Is there anyway to make these rules less trigger happy? ie allow them a couple of wrong ones before blocking - we are getting numerous complaints from people in regards to his blocking people when they accidentally type wrong password or username on mainly joomla.

also have had reports of the "forgotten password" on wordpress triggering the lockout(unconfirmed as yet though)

You can disable one or more of these by opening the rule manager, and search for the web applications name. For example, if you search for Joomla, you will see three rules that deals with login failures: 60156, 60157, 60908 that correspond to those thresholds above in that order.

You can not change the thresholds at this point in ASL. That will be supported in a future version of ASL.

Who is online

Users browsing this forum: Baidu [Spider], Yahoo [Bot] and 0 guests

You cannot post new topics in this forumYou cannot reply to topics in this forumYou cannot edit your posts in this forumYou cannot delete your posts in this forumYou cannot post attachments in this forum